When you install certain infrastructure components, the installer prompts you for a username to log in to Oracle Internet Directory. For the installation to complete successfully, this user must belong to certain groups in Oracle Internet Directory. The groups that are required depend on what you are installing.

By putting users into groups, you allow other users to perform installations. Users do not have to log in as the cn=orcladmin superuser to perform the installations.

5.1 Default Users in Oracle Internet Directory

When you install Oracle Internet Directory, it has two users: cn=orcladmin and orcladmin:

cn=orcladmin is the Oracle Internet Directory superuser. This user has all the privileges to perform all tasks in Oracle Internet Directory.

The initial password for cn=orcladmin is the same as the password for the ias_admin user for the Oracle Application Server instance. You specified this password during installation.

cn=orcladmin is the owner of the objects created in the same installation session. For example, if you installed Oracle Internet Directory, OracleAS Metadata Repository, and Oracle Delegated Administration Services, the cn=orcladmin user is created and becomes a member of the Repository Owners group and the DAS Component Owners group. cn=orcladmin also becomes a member of the iAS Admins group.

Note that you cannot log in to Oracle Internet Directory as the superuser (cn=orcladmin) using Oracle Delegated Administration Services. To log in as cn=orcladmin, you must use the Oracle Directory Manager.

The orcladmin user is also created when you install Oracle Internet Directory. The DN for this user is: cn=orcladmin,cn=users,<default realm DN>.

The initial password for orcladmin is the same as the password for the ias_admin user for the Oracle Application Server instance. You specified this password during installation.

You can log in to Oracle Internet Directory as orcladmin using Oracle Delegated Administration Services to manage other Oracle Internet Directory users. You can do this because orcladmin is a valid OracleAS Single Sign-On user.

For more information on the cn=orcladmin and orcladmin users, see the Oracle Internet Directory Administrator's Guide.

5.2 Groups in Oracle Internet Directory

Groups in Oracle Internet Directory can be classified into these categories:

To install Oracle Identity Management, OracleAS Portal, or OracleAS Wireless components, you must belong to several groups, one of which is the Trusted Application Admins group. Table 5-4 lists the required groups for each component.

To install OracleAS Portal or OracleAS Wireless, you must belong to several groups, one of which is the IAS & User Management Application Admins group. Table 5-4 lists the required groups for each component.

5.2.2 Groups for Each Metadata Repository

Each metadata repository registered with Oracle Internet Directory has its own groups, as described in Table 5-2. This enables you to assign different owners and users for each repository.

Add/remove middle-tier instances from the Associated Middle Tiers group for this repository. This is required to install a middle tier or to configure a middle-tier component to use a different repository.

Members of this group are middle-tier instances associated with this metadata repository. The middle-tier instances are added to this group during installation. You do not have to add the instances manually to this group.

Members of this group have the following privilege:

Access metadata for the repository database object and its schemas.

5.2.3 Groups for Each Component

Oracle Application Server components also have groups in Oracle Internet Directory. Each component has a Component Owners group and an Associated Middle Tiers group, as described in Table 5-3.

To register OracleAS Metadata Repository against Oracle Internet Directory, you must log in to Oracle Internet Directory as a user who belongs to the iAS Admins group.

Oracle Internet Directory

In OracleAS Cluster (Identity Management) environments, to install subsequent Oracle Internet Directory instances after the first one, you must be the Oracle Internet Directory superuser (cn=orcladmin).

Oracle Delegated Administration Services

Trusted Application Admins

iAS Admins

Mid-Tier Admins group for the metadata repository used by OracleAS Single Sign-On

Note: This is required only if you are installing multiple instances of Oracle Delegated Administration Services. When you are installing the second and subsequent instances, then you need to belong to the Component Owners group. You do not need to be a member when you install the first Oracle Delegated Administration Services instance.

Mid-Tier Admins or Repository Owners group for the metadata repository

Portal and Wireless, and Business Intelligence and Forms Middle-tier Components

OracleAS Portal

Trusted Application Admins

IAS & User Management Application Admins

iAS Admins

Mid-Tier Admins or Repository Owners group for the metadata repository

Component Owners group for the OracleAS Portal component

Note: This group is applicable only when you are installing additional OracleAS Portal instances. It does not apply for the first OracleAS Portal installation. For subsequent OracleAS Portal installations, you can perform the installation as the same Oracle Internet Directory user who performed the first installation. If you want to allow a different Oracle Internet Directory user to install OracleAS Portal, you have to add this user to the Component Owners group for the Portal application entity.

OracleAS Wireless

IAS & User Management Application Admins

iAS Admins

Mid-Tier Admins or Repository Owners group for the metadata repository

Component Owners group for the OracleAS Wireless component

Note: This group is applicable only when you are installing additional OracleAS Wireless instances. It does not apply for the first OracleAS Wireless installation. For subsequent OracleAS Wireless installations, you can perform the installation as the same Oracle Internet Directory user who performed the first installation. If you want to allow a different Oracle Internet Directory user to install OracleAS Wireless, you have to add this user to the Component Owners group for the Wireless application entity.

In addition, the user must be one of the owners of the OracleAS Wireless application entity. To determine the name of the OracleAS Wireless application entity, run the following command from the first OracleAS Wireless installation:

prompt> $ORACLE_HOME/wireless/bin/getAppEntityName.sh

Then add the user as a component owner for this application entity. You can do this using the Deployment Delegation Console or the Oracle Directory Manager.

OracleAS Reports Services

OracleAS Forms Services

OracleAS Personalization

OracleBI Discoverer

iAS Admins

Mid-Tier Admins or Repository Owners group for the metadata repository

5.4.1 Groups Required to Install Against the Desired Metadata Repository

To install middle tiers against a metadata repository, the user must belong to these groups:

IAS Admins group

Mid-Tier Admins group for the metadata repository to be used with the middle tier. When the installer prompts for the OracleAS Metadata Repository to use with this middle tier, the installer displays only the metadata repositories for which the user is a mid-tier admin. For example, in Figure 5-2, userA can see only the repository for orcl.oracle.com, and userB can see only the repository for orcl1.oracle.com.

5.4.2 Groups Required to Install Middle-tier Components

To install middle-tier components, such as OracleAS Portal and OracleAS Wireless, the user must belong to additional groups. See Table 5-4 for a list of components and required groups.

5.4.3 Example

Figure 5-1 shows an Oracle Internet Directory with one metadata repository and one middle-tier instance. userA can install middle tiers against the orcl metadata repository because userA belongs to the Mid-Tier Admins and the IAS Admins groups. userA can also install middle-tier components because userA belongs to the Trusted Application Admins group, the IAS & User Management Application Admins group, and the Component Owners group for Wireless.

Figure 5-1 Contents of Oracle Internet Directory with One Infrastructure and One Middle Tier

5.5 Groups Required to Install Additional Metadata Repositories

To install additional metadata repositories, a user must be a member of the IAS Admins group. After installation, the user then becomes a member of the Repository Owners group for that metadata repository.

5.6 Example of Installation with Different Users

Figure 5-2 shows an Oracle Internet Directory with two metadata repositories and two middle tiers installed by different users.

Figure 5-2 Oracle Internet Directory with Two Metadata Repositories and Two Middle Tiers

This first installation creates an Oracle Internet Directory and a metadata repository.

The installer registers the metadata repository with Oracle Internet Directory by creating the "orcl.oracle.com" entry.

The orcladmin user becomes a member of the Repository Owners group and the Mid-Tier Admins group for this repository.

2. Install J2EE and Web Cache Middle Tier

userA was added to the following groups:

Mid-Tier Admins group of "orcl.oracle.com"

This enables userA to use the "orcl.oracle.com" repository for this middle tier. Note that this group is required only if you install the J2EE and Web Cache middle tier with the OracleAS Database-Based Cluster option. If you install the middle tier without this option, userA does not need to belong to this Mid-Tier Admins group.

iAS Admins group

The installer registers this middle tier with Oracle Internet Directory by creating the "J2EE" entry. (The "J2EE" is the name of the middle-tier instance, specified by userA.)

The middle tier becomes a member of the Associated Mid-Tiers group for "orcl.oracle.com".

The installer registers this middle tier with Oracle Internet Directory by creating the "PW1" entry.

The middle tier becomes a member of the Associated Mid-Tiers group for "orcl1.oracle.com".

5.7 How to Create Users in Oracle Internet Directory

You can create users in Oracle Internet Directory using the Self-Service Console, which is part of the Oracle Delegated Administration Services. See the Oracle Internet Directory Administrator's Guide for details.

Note:

You cannot connect to Oracle Internet Directory as the cn=orcladmin superuser using the Oracle Delegated Administration Services consoles. To connect to Oracle Internet Directory as the superuser, use Oracle Directory Manager.

5.8 How to Add Users to Groups in Oracle Internet Directory

To add users to groups in Oracle Internet Directory, you can use these tools:

Oracle Delegated Administration Services is a Web-based tool intended for end-users to perform tasks such as changing their passwords and editing their personal information. If users have the proper privileges, they can also use this tool to create groups and users.

Note:

You cannot log in to Oracle Internet Directory as the cn=orcladmin superuser using Oracle Delegated Administration Services. In cases where you have to log in as the superuser to add users to groups (or to perform other Oracle Internet Directory-related tasks), you have to use Oracle Directory Manager.

5.8.1 Using Oracle Directory Manager to Add Users to Groups

When you have to log in as the cn=orcladmin superuser to add users to groups, you have to use Oracle Directory Manager, instead of Oracle Delegated Administration Services.

To add users using Oracle Directory Manager:

Start up Oracle Directory Manager. ORACLE_HOME refers to the home directory where Oracle Internet Directory is installed.

Expand orclApplicationCommonName=appName, where appName is specific to the component and application server instance. If you have installed multiple instances of a component, you would see multiple instances of this entry.

Click the group to which you want to add users. Figure 5-5 shows Oracle Directory Manager with the Component Owners group for Oracle Delegated Administration Services selected.

Figure 5-5 Using Oracle Directory Manager to Add Users to the Component Users Group for the Oracle Delegated Administration Services Component

An entry for the metadata repository registered with the Oracle Internet Directory. This metadata repository is associated with the groups listed in Table 5-2. The cn=orcladmin superuser is a member of the Repository Owners group.

An application entity entry for the Oracle Delegated Administration Services component. This component is associated with the groups listed in Table 5-3. The cn=orcladmin superuser is a member of the Component Owners group.

5.10 On the Specify Login for Oracle Internet Directory Screen, What Username and Realm Do I Enter?

when you are installing OracleAS Infrastructure and you are using an existing Oracle Internet Directory

when you are installing a middle tier that requires an infrastructure.

This screen prompts you to enter a username and password to log in to Oracle Internet Directory.

Username

In the Username field, enter either the simple username or the user's DN.

Simple username example: jdoe

DN example: cn=orcladmin

The user must belong to specific groups for installing and configuring certain components. See Table 5-4 for details.

If you want to specify the superuser, enter cn=orcladmin, not just orcladmin.

Realm

The Realm field appears only if your Oracle Internet Directory contains more than one realm. The username that you enter is authenticated against the specified realm. If you are unsure what the realm name is, contact your Oracle Internet Directory administrator.

Example 1: in a hosted deployment, the realm name could be similar to the name of the hosted company: XYZCorp.

Example 2: within an enterprise, you could have separate realms for internal users and external users. The realm name for the external users could be externalUsers.